Common Weakness Enumeration

CWE-837

Allowed

Improper Enforcement of a Single, Unique Action

Abstraction: Base · Status: Incomplete

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

32 vulnerabilities reference this CWE, most recent first.

GHSA-7WPF-4JWJ-R2V3

Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-11-04 00:32
VLAI
Details

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "While assignment of a user to a team (bracket) in\u00a0CTFd  should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it\u0027s bracket and then pick a new one, joining another team while a competition is already ongoing.\nThis issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by  pull request 2636 https://github.com/CTFd/CTFd/pull/2636 \u00a0included in 3.7.5 release.",
  "id": "GHSA-7wpf-4jwj-r2v3",
  "modified": "2025-11-04T00:32:15Z",
  "published": "2025-01-02T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CTFd/CTFd/pull/2636"
    },
    {
      "type": "WEB",
      "url": "https://blog.ctfd.io/ctfd-3-7-5"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/01/CVE-2024-11716"
    },
    {
      "type": "WEB",
      "url": "https://ctfd.io"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2024/Dec/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8WM9-24QG-M5QJ

Vulnerability from github – Published: 2024-09-03 21:31 – Updated: 2024-09-17 22:22
VLAI
Summary
Duplicate Advisory: Keycloak has a brute force login protection bypass
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references.

Original Description

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 24.0.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-03T21:57:40Z",
    "nvd_published_at": "2024-09-03T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.",
  "id": "GHSA-8wm9-24qg-m5qj",
  "modified": "2024-09-17T22:22:26Z",
  "published": "2024-09-03T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4629"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6493"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6494"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6495"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6497"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6499"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6500"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6501"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4629"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276761"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Keycloak has a brute force login protection bypass",
  "withdrawn": "2024-09-17T22:22:26Z"
}

GHSA-9W6G-7JPW-87HF

Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-11-04 00:32
VLAI
Details

Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email.

This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679  included in 3.7.5 release.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user\u0027s password and take over the account.\u00a0Moreover, the tokens also include base64 encoded user email.\n\nThis issue impacts releases up to 3.7.4 and was addressed by  pull request 2679 https://github.com/CTFd/CTFd/pull/2679 \u00a0included in 3.7.5 release.",
  "id": "GHSA-9w6g-7jpw-87hf",
  "modified": "2025-11-04T00:32:15Z",
  "published": "2025-01-02T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11717"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CTFd/CTFd/pull/2679"
    },
    {
      "type": "WEB",
      "url": "https://blog.ctfd.io/ctfd-3-7-5"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/01/CVE-2024-11716"
    },
    {
      "type": "WEB",
      "url": "https://ctfd.io"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2024/Dec/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FC55-XRCV-X657

Vulnerability from github – Published: 2026-05-07 06:31 – Updated: 2026-05-07 06:31
VLAI
Details

Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-07T04:16:35Z",
    "severity": "LOW"
  },
  "details": "Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.",
  "id": "GHSA-fc55-xrcv-x657",
  "modified": "2026-05-07T06:31:42Z",
  "published": "2026-05-07T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44601"
    },
    {
      "type": "WEB",
      "url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/d4e3f6a440b58c2be661decf20c09548704907dc"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41237"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GC7Q-JGJV-VJR2

Vulnerability from github – Published: 2024-09-17 22:29 – Updated: 2024-09-17 22:29
VLAI
Summary
Keycloak Services has a potential bypass of brute force protection
Details

If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.

Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "24.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-4629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307",
      "CWE-837"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T22:29:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.\n\n**Acknowledgements:**\nSpecial thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.",
  "id": "GHSA-gc7q-jgjv-vjr2",
  "modified": "2024-09-17T22:29:01Z",
  "published": "2024-09-17T22:29:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-gc7q-jgjv-vjr2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4629"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/d78b3072ffffbff3954bf9f3181e3daf8e93c1ab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/c8053dd812d9b9f05b293f901b9dc39e061ebb88"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/b25c28458a562abda2f84fc684e59cce8577e562"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/99f92ad5fff5555d53930c2d32f8be3e08c514c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/461fa631dc55b9739c9ed8c49de9f5b213955200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/2fb358e1a21c5387cdc11100ce3562b4dcfe5416"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276761"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4629"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6501"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6500"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6499"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6497"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6495"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6494"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6493"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Keycloak Services has a potential bypass of brute force protection"
}

GHSA-HR3W-F8MH-X6JR

Vulnerability from github – Published: 2023-12-13 15:30 – Updated: 2023-12-13 15:30
VLAI
Details

A vulnerability classified as problematic has been found in Thecosy IceCMS 2.0.1. This affects an unknown part of the file /WebResource/resource of the component Love Handler. The manipulation leads to improper enforcement of a single, unique action. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247887.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-13T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in Thecosy IceCMS 2.0.1. This affects an unknown part of the file /WebResource/resource of the component Love Handler. The manipulation leads to improper enforcement of a single, unique action. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247887.",
  "id": "GHSA-hr3w-f8mh-x6jr",
  "modified": "2023-12-13T15:30:58Z",
  "published": "2023-12-13T15:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6759"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.247887"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.247887"
    },
    {
      "type": "WEB",
      "url": "http://39.106.130.187/Icecms.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8G5-8X38-5XQP

Vulnerability from github – Published: 2025-10-02 21:31 – Updated: 2025-10-02 21:31
VLAI
Details

The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-02T19:15:31Z",
    "severity": "HIGH"
  },
  "details": "The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness.",
  "id": "GHSA-j8g5-8x38-5xqp",
  "modified": "2025-10-02T21:31:19Z",
  "published": "2025-10-02T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-spec/releases/tag/v1.16"
    },
    {
      "type": "WEB",
      "url": "https://matrix.org/blog/2025/08/project-hydra-improving-state-res"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWF9-CH8Q-FHX3

Vulnerability from github – Published: 2023-11-30 18:31 – Updated: 2023-11-30 18:31
VLAI
Details

A vulnerability classified as problematic has been found in IceCMS 2.0.1. Affected is an unknown function of the file /WebArticle/articles/ of the component Like Handler. The manipulation leads to improper enforcement of a single, unique action. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246438 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-30T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in IceCMS 2.0.1. Affected is an unknown function of the file /WebArticle/articles/ of the component Like Handler. The manipulation leads to improper enforcement of a single, unique action. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246438 is the identifier assigned to this vulnerability.",
  "id": "GHSA-qwf9-ch8q-fhx3",
  "modified": "2023-11-30T18:31:18Z",
  "published": "2023-11-30T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6438"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.246438"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.246438"
    },
    {
      "type": "WEB",
      "url": "http://124.71.147.32:8082"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFGJ-C5JH-9W59

Vulnerability from github – Published: 2025-09-10 00:31 – Updated: 2025-09-10 00:31
VLAI
Details

Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T22:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.",
  "id": "GHSA-rfgj-c5jh-9w59",
  "modified": "2025-09-10T00:31:01Z",
  "published": "2025-09-10T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58135"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-25036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RGVH-4M82-FVJQ

Vulnerability from github – Published: 2025-10-27 20:12 – Updated: 2025-10-27 22:32
VLAI
Summary
InventoryGui allows item duplication with experimental "Bundle" item in GUIs which use GuiStorageElement
Details

Impact

Any plugin using the GuiStorageElement is impacted when used on a server which allows the (currently experimental) Bundle items.

Patches

Patched with https://github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494 ("backported" to 1.6.3-SNAPSHOT)

Update to 1.6.4-SNAPSHOT to guarantee that it's included!

Workarounds

Don't enable the experiment "Bundle" items or don't use the GuiStorageElement in GUIs.

References

Original issue: https://github.com/Phoenix616/InventoryGui/issues/51

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.3-SNAPSHOT"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "de.themoep:inventorygui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.4-SNAPSHOT"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-837"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-27T20:12:50Z",
    "nvd_published_at": "2025-10-27T21:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAny plugin using the GuiStorageElement is impacted when used on a server which allows the (currently experimental) Bundle items.\n\n### Patches\nPatched with https://github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494 (\"backported\" to 1.6.3-SNAPSHOT)\n\nUpdate to 1.6.4-SNAPSHOT to guarantee that it\u0027s included!\n\n### Workarounds\nDon\u0027t enable the experiment \"Bundle\" items or don\u0027t use the GuiStorageElement in GUIs.\n\n### References\nOriginal issue: https://github.com/Phoenix616/InventoryGui/issues/51",
  "id": "GHSA-rgvh-4m82-fvjq",
  "modified": "2025-10-27T22:32:04Z",
  "published": "2025-10-27T20:12:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-rgvh-4m82-fvjq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Phoenix616/InventoryGui/issues/51"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Phoenix616/InventoryGui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:L/SC:N/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "InventoryGui allows item duplication with experimental \"Bundle\" item in GUIs which use GuiStorageElement"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.